APT28 Hackers Exploit Signal Chats in Latest Malware Campaign Targeting Ukraine

Threat actors exploit encrypted messenger Signal chats in a wave of Russia-linked phishing attacks.

Signal chats weaponized into delivery vectors

Russian state-backed threat actors known as APT28 have launched a new wave of cyberattacks against Ukrainian government entities by weaponizing Signal chats to drop malware.

Signal, the widely used encrypted messaging app, remains secure, but perpetrators have found creative ways to exploit its communication channels for phishing.

The attacks were first spotted by Ukraine’s Computer Emergency Response Team (CERT-UA) in early 2024. However, details remained scarce until May 2025, when a renewed investigation triggered by unauthorized access to a Ukrainian government email uncovered the malicious use of Signal to distribute a rogue Word document harboring embedded malicious macros.

New ‘BeardShell’ and ‘SlimAgent’ malware families discovered

The malicious document dropped a memory-resident backdoor known as Covenant, according to CERT-UA’s analysis. Once activated, Covenant loaded additional payloads, including a dynamic link library and a WAV file with embedded shellcode, which in turn deployed “BeardShell,” a previously undocumented piece of malware written in C++.

BeardShell is designed to retrieve and run encrypted PowerShell scripts, sending execution logs to a command-and-control (C2) server controlled by the attackers through the Icedrive API. The malware persists on infected systems using COM-hijacking techniques within the Windows registry, maintaining its foothold even after reboots or updates.

SlimAgent facilitates stealthy screenshot capture

Alongside BeardShell, researchers identified another novel tool, dubbed “SlimAgent,” first seen in earlier stages of the campaign. This malware component specializes in covertly capturing screenshots using native Windows APIs. The tool uses locally stored AES and RSA algorithms to encrypt images, likely for future extraction by another malicious module.

Together, the two malware strains suggest a layered surveillance strategy aimed at intelligence collection, with SlimAgent operating as a passive observer. Synchronously, its counterpart, BeardShell, served as a command execution engine.

Ongoing tensions around Signal’s role

This campaign is part of a broader trend involving the misuse of Signal by cyberspies. Ukrainian authorities have expressed frustration at the app’s perceived lack of cooperation in halting Russia-linked operations, particularly after past incidents involving account hijacking and malware distribution through the app.

Signal leadership, however, has denied ever collaborating with any government to block communications or share data. While no vulnerabilities were found in the app itself, Signal’s infrastructure is often co-opted as a delivery method in increasingly complex cyber operations.

Outsmart scammers with specialized tools

You no longer need to be an expert to protect yourself from malware and scams. Dedicated software like Bitdefender Ultimate Security offers robust protection with advanced, real-time threat detection, secure VPN and identity theft coverage, all in one streamlined suite.

For quick, on-the-go scam checks, Bitdefender Scamio is an AI-powered chatbot that reviews suspicious messages, links, emails, images, and even described scenarios in seconds. Whether you’re dealing with phishing emails or shady QR codes, Scamio helps you verify threats before they do harm.